What's behind the iPad hack at Los Angeles High Schools?

Tom Kaneshige |
Oct. 2, 2013

When 340 high school students figured out how to remove mobile device management software from their iPads they did more than gain access to social networks and banned websites. They exposed what can go wrong with Apple's approach to supporting companies and schools looking to deploy and manage thousands of iPads.

"We're targeting kids who most likely don't have their own computers or laptops or iPads," Mark Hovatter, chief facilities executive for LAUSD, told CITEworld. "Their only exposure to computers now is going to be in their schools."

School districts across the country are feeling the iPad craze, although not to the level of LAUSD. For instance, Lexington School District One (LSDO) in South Carolina started a large iPad rollout in 2011 and today is up to 17,000 iPads, including 7,000 high school students.

Apple has been feeding the frenzy, too. Last year, Apple unveiled iBooks 2 for the iPad, a storefront for multimedia high school textbooks. Apple has special programs set up for education; schools can purchase iPads in 10-packs, while companies must buy individually wrapped iPads.

Both LSDO and LAUSD wanted their students to be able to bring iPads home. The thinking goes, if you give a person a sense of iPad ownership, then great things will happen. Students could use iPads for off-hours tutoring, homework and late-night studying.

Allowing iPads outside the corporate network, however, raises the bar on security. The school districts bought MDM software that would restrict students from using, say, iMessage or downloading apps rated 17+ from the Apple App Store. The school districts also wanted content filtering in the form of Apple Global HTTP Proxy, which blocks Facebook, Twitter, YouTube (except for educational content) and other sites.

LSDO chose MobileIron as its MDM vendor and LAUSD chose Airwatch. The problem with MDM is that it's made for a company's BYOD crowd. MDM was designed for employees to easily opt in and opt out. When an employee opts out and essentially un-enrolls from the BYOD program, an alert is sent to IT. The employee simply loses access to corporate assets.

In order to prevent students from opting out of MDM, LSDO most likely relied on written policies. That is, students and parents probably signed an agreement that they would not opt out of their MDM profiles. For employees in a corporate setting, there are repercussions for violating such an agreement, ranging from a bad mark on a performance review to termination.

Repercussions for high school students? Not so much. LAUSD's policy-driven approach was akin to hanging a "Do Not Enter" sign on a gym door; kids will still sneak in to play basketball. In other words, LAUSD should not have been surprised when hundreds of students opted out of MDM.

Securing iPads in Field Today, there's not much you can do to prevent users from opting out of their MDM profiles and losing some security over iPads. But MDM is only half the story, because it represents only half the security measures.